ID CVE-2018-11771
Summary When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:commons_compress:1.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:commons_compress:1.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:commons_compress:1.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:commons_compress:1.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:commons_compress:1.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:commons_compress:1.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:commons_compress:1.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:commons_compress:1.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:commons_compress:1.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:commons_compress:1.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:commons_compress:1.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:commons_compress:1.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:commons_compress:1.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:commons_compress:1.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:commons_compress:1.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:commons_compress:1.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:commons_compress:1.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:commons_compress:1.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:commons_compress:1.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:commons_compress:1.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:commons_compress:1.16.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:commons_compress:1.16.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:commons_compress:1.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:commons_compress:1.17:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 18-04-2022 - 17:32)
Impact:
Exploitability:
CWE CWE-835
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:N/A:P
refmap via4
bid 105139
mlist
  • [announce] 20180816 [CVE-2018-11771] Apache Commons Compress 1.7 to 1.17 denial of service vulnerability
  • [commons-commits] 20190827 [commons-compress] branch master updated: record CVE-2019-12402
  • [commons-notifications] 20190827 svn commit: r1049290 - in /websites/production/commons/content/proper/commons-compress: changes-report.html security-reports.html
  • [creadur-dev] 20190530 [Discuss] RAT-244 - update to language level 1.7 due to CVE issues in RAT
  • [pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1
  • [tinkerpop-commits] 20190923 [GitHub] [tinkerpop] justinchuch opened a new pull request #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771
  • [tinkerpop-commits] 20190923 [GitHub] [tinkerpop] robertdale commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771
  • [tinkerpop-commits] 20190923 [GitHub] [tinkerpop] spmallette commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771
  • [tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771
  • [tinkerpop-commits] 20190924 [GitHub] [tinkerpop] spmallette commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771
  • [tinkerpop-commits] 20190930 [GitHub] [tinkerpop] spmallette merged pull request #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771
  • [tinkerpop-dev] 20190924 [GitHub] [tinkerpop] justinchuch commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771
  • [tinkerpop-dev] 20190924 [GitHub] [tinkerpop] spmallette commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771
  • [tinkerpop-dev] 20190930 [GitHub] [tinkerpop] spmallette closed pull request #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771
sectrack 1041503
Last major update 18-04-2022 - 17:32
Published 16-08-2018 - 15:29
Last modified 18-04-2022 - 17:32
Back to Top